Implementing Apache Security Headers

How to configure security related HTTP response headers with Apache

Simply add the following headers to either a VirtualHost directive (as demonstrated below) or in the main configuration:

<VirtualHost *:443>
Header set X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff 
Header set Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
Header set Referrer-Policy no-referrer
ServerName ...

Add these to the main configuration will also minimise information leakage:

ServerTokens Prod
ServerSignature Off

Use the Security Headers site to test the results. It also provides further information on what these headers are for etc.